Ethical Hacking News
Citrix NetScaler devices left unpatched against critical CitrixBleed 2 bug pose a significant risk to organizations worldwide. With over 3,300 devices exposed, it is essential that organizations act swiftly to secure their systems and prevent potential attacks. Read on for more details about this vulnerability and the steps organizations can take to protect themselves.
Over 3,300 unpatched NetScaler devices were left vulnerable to the CitrixBleed 2 bug. The vulnerability allows attackers to bypass authentication and steal sensitive data from public-facing gateways and virtual servers. Proof-of-concept exploits targeting CVE-2025-5777 were released within two weeks of the flaw's disclosure. A second related vulnerability, CVE-2025-6543, is also actively exploited in denial-of-service attacks. The U.S. Cybersecurity and Infrastructure Security Agency has added both vulnerabilities to its catalog of actively exploited vulnerabilities.
Citrix has issued a warning to its customers after over 3,300 of their NetScaler devices were left unpatched against the critical CitrixBleed 2 bug. This vulnerability, tracked as CVE-2025-5777, allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released.
The CitrixBleed 2 bug is an out-of-bounds memory read vulnerability that results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions remotely on devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This means that if an attacker can gain access to one of these devices, they can steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, allowing them to hijack user sessions and bypass multi-factor authentication (MFA).
Proof-of-concept (PoC) exploits targeting CVE-2025-5777 were released less than two weeks after the flaw was disclosed, while active exploitation in zero-day attacks was detected weeks before the release of these PoC exploits. This suggests that attackers have been taking advantage of this vulnerability for some time, and it is only a matter of time before more sophisticated attacks are launched.
A similar Citrix security flaw, known as "CitrixBleed," was exploited two years ago to hack NetScaler devices and move laterally across compromised networks in ransomware attacks and breaches targeting government entities. This highlights the ongoing need for vigilance and proactive security measures to protect against such threats.
In response to this latest vulnerability, Citrix has tagged CVE-2025-6543 as actively exploited in denial-of-service (DoS) attacks. This second vulnerability, also tracked by CVE-2025-5777, is a memory overflow vulnerability that can lead to unintended control flow and denial of service. The Netherlands' National Cyber Security Centre (NCSC) has warned that attackers have exploited this flaw as a zero-day since at least early May to breach multiple critical organizations in the country.
The NCSC assesses the attacks as the work of one or more actors with an advanced modus operandi, and notes that the vulnerability was exploited as a zero-day, with traces actively removed to conceal compromise at affected organizations. While no specific details about the affected organizations have been disclosed, it is clear that this attack highlights the ongoing threat posed by unpatched vulnerabilities.
In light of these developments, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVE-2025-5777 and CVE-2025-6543 to its catalog of actively exploited vulnerabilities, ordering federal agencies to secure their systems against CVE-2025-5777 attacks within a day and against CVE-2025-6543 exploitation by July 21st.
As organizations grapple with the fallout from this latest vulnerability, it is essential that they take proactive steps to protect themselves. This includes ensuring that all devices are up-to-date with the latest patches, implementing robust security measures to prevent unauthorized access, and educating employees on the importance of secure password practices.
In conclusion, the discovery of the CitrixBleed 2 bug highlights the ongoing need for vigilance in the face of rapidly evolving cybersecurity threats. As organizations navigate this complex landscape, it is crucial that they prioritize proactive security measures and take swift action to patch vulnerabilities before they can be exploited by attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/Citrix-NetScaler-Devices-Exposed-to-Critical-CitrixBleed-2-Bug-A-Warning-to-Organizations-ehn.shtml
Published: Tue Aug 12 10:45:17 2025 by llama3.2 3B Q4_K_M
